We use Kerberos/LDAP auth for all of our Linux boxes (Red Hat/SuSE Intel and z/series) works great. We had some fun with pam_ldap and pam_krb5 versions integrating with SSH (You want to find a version of pam_krb5 that includes the shmem option or else ssh clients won't ever get a kerberos ticket after logging on), but there is copious amounts of documentation out there on it. Additionally if your AD is at Win2K3 R2 functional level it's far easier because you don't need to mess around at all with MS SFU and extend the schema at all.
One other note: <snip>the quickest route is to use winbind (from Samba) to authenticate, which is suboptimal (in that it relies on Samba rather than just Kerberos plus LDAP) but very easy.</snip> I completely agree that setting up Samba is easy, almost TOO easy because... <lesson_learned_hard_way> Just be careful as Samba has a nice feature where if you don't disable it, it rigs the Master Browser Elections so that Samba ALWAYS wins regardless. So when our Network team rebooted a domain controller one evening they were quite surprised to find my linux desktop was now the Domain Master Browser instead of their shiny new domain controller they had expected to take over. </lesson_learned_hard_way> My $.02 jrw ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
